Researchers warn that many Linux and Unix systems contain a Samba vulnerability that could eventually lead to attacks...
similar to WannaCry or worse, if IT pros don't remediate quickly.
According to the Samba security advisory, the vulnerability (CVE-2017-7494) affects versions 3.5 (released March 1, 2010) and newer. The Samba vulnerability is remotely exploitable and could allow "a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it."
Nick Bilogorskiy, senior director of threat operations at Cyphort, said although there are no active exploits in the wild, the damage from this Samba vulnerability could be steep.
"Because this vulnerability allows remote code execution, attackers will have full control over a compromised machine, and any payload is possible," Bilogorskiy told SearchSecurity. "For example, [an attacker could] drop a backdoor, steal data from the system, spy on the user, attack other systems or try to encrypt all data for a ransom."
Lane Thames, senior security researcher at Tripwire, said exploiting the Samba vulnerability "is a little more difficult than the SMB vulnerability targeted by WannaCry."
"For example, to exploit CVE-2017-7494 an attacker must find a vulnerable system, then find the path of an appropriate file share on the system, and the attacker must be either authenticated with the vulnerable Samba server or the share must be available to be written to without authentication," Thames told SearchSecurity. "Regardless, enterprises should move fast to patch this vulnerability and ensure that no unnecessary Samba services are exposed to the internet."
Samba vulnerability remediation
Research from Rapid7 Labs said attacks on this Samba vulnerability could come over the same port 445 used to access SMB on Windows machines, but port 139 could also expose endpoints to attack. Rapid7 suggested "organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets."
A patch has been released and the Samba advisory also noted a potential workaround for those who can't patch right away. Samba said adding the argument "nt pipe support = no" to the global section of the Samba configuration file will mitigate the threat, but could have the added consequence of disabling "some expected functionality for Windows clients."
Thames said the enterprise space will be "concerned with their file and print server systems running on top of Linux and Unix operation systems that use Samba," but warned that storage solutions "can also pose significant risks."
"Most of these storage devices use embedded Linux and Samba for their file sharing functionalities. Moreover, it is these types of devices that are likely to be the most troublesome for us with this vulnerability," Thames said. "Enterprise server vendors are moving fast to push out patches to enterprise customers for this Samba vulnerability. However, [network-attached storage] vendors might not move so quickly on this and in some cases they might not even issue patches for this."
Samba vs. WannaCry
Craig Williams, senior technical leader at Cisco Talos, said the comparisons between this Samba vulnerability and WannaCry "are due to the fact that both of these issues affected the same protocol."
"Samba is basically what [Linux/Unix] systems use to talk to Windows file stores and printers," Williams told SearchSecurity. "That said, to date we have not seen a worm or even an exploit with a ransomware payload though this could change at any second."
Bilogorskiy said although WannaCry makes better headlines, the better comparison was to EternalBlue -- the SMB vulnerability exploited by WannaCry -- because "right now we are dealing with a vulnerability, not malware yet."
"If a worm is discovered exploiting this Samba vulnerability, then yes, WannaCry comparisons are warranted and there are ways how it may even be worse than WannaCry. WannaCry hit Windows systems, more than 60 days after the patch. Most of them had auto-update enabled and were not vulnerable," Bilogorskiy said. "Any Samba worm may hit Linux and Unix servers, where most do not have auto-update enabled. In fact some of these Unix systems work for years without any maintenance. Also, unlike workstations, most of them are always on, users never power them off. So [there are] more online unpatched targets for a worm to infect."
Learn about Microsoft slamming the NSA about vulnerability hoarding.
Find out how to combat network-attached storage device risks.
Get info on how NAS and SAN storage systems compare.